Stopping Spoofing with DKIM and Exchange Online Protection (Video)

Stopping Spoofing

Stopping spoofing before it gets to your users becomes more important every day. Phishing is still the most common source of attacks, including malware, BEC scams, and ransomware. Providing defenses to stop spoofed and phishing emails from reaching your users is the best first line of defense. Thankfully, tools are available to help stop spoofing emails and handle phishing attempts. In this Tech Talk, Microsoft Security Architect Matt Soseman walks us through DKIM and demonstrates a number of email protection tools available in Microsoft Security Center.

The Threat of Spoofing and Phishing

$4.0 million dollars is the average cost of a data breach.

81% of breaches involve weak or stolen passwords

More than 300,000 new malware samples are created and spread every day.

87% of senior managers have admitted to accidentally leaking business data.

How does Microsoft protect its users against phishing?

When an email comes into your system, there are a series of 8 protections in place.

Sender authentication checks

Implicit intra-organization domain spoof detection

Anti-virus engine scan

URL reputation scan

Phish content analysis (Heuristic and rule based)

ATP (Advanced Threat Protection) machine learning models

ATP heuristic clustering and detonation

ATP Link content detonation

Once the email is delivered, four additional protections are in play

ATP Safe links time-of-click protection

Zero-hour auto purge

Safe links for office clients

Multi-factor authentication for Office 365

After running through delivery, there are 4 additional functions protecting user mailboxes

What is DKIM (DomanKeys Identified Mail)

When a new email is sent, the element (title, body, etc) is hashed to a unique text string.

That hash is then encrypted using a private key

The encrypted hash is added to the email as a digital signature.

When the email arrives at the receiving server it sees this signature and run a DNS query to get the public key needed to decrypt the signature.

The receiving server hashes the element and compares it to the decrypted hash in the signature

If the two hashes match, then the receiving server knows the email:

is really from the sending domain

has not been tampered with during transit

The problematic part about DKIM is that it is not universally adopted, so the lack of a DKIM signature does not mean that an email is malicious or fraudulent. DKIM lets you know that that individual email is legitimate. Since the DKIM signature is not easily seen by the end user, it does not stop spoofing of the “header from:” domain, however it is a useful tool to stop spoofing emails that impersonate other employees at the same organization.

How to Enable DKIM in Microsoft Admin Center

DKIM is enabled by default in Office 365 with a single key. To get to your DKIM settings:

Office 365 also automatically “rotates” your DKIM keys. DKIM key rotation is important, for the same reasons as changing passwords. The longer it remains the same, the more likely it is to be compromised. If, for some reason you require additional configuration for DKIM, microsoft has good guidance here.

Advanced Threat Protection Safe Attachments

Safe Attachments allows you to scan every attachment that comes into your environment, through Exchange, SharePoint, OneDrive and Teams. Instead of using obsolete hash/signature based detection methods that miss most self-mutating malware it actually opens or executes the attachment in a virtual sandbox and looks at the behavior of the file to determine if it is malicious. This detonation process easily defeats most methods of attack.

Configuring ATP Safe Attachments Policies

From protection.microsoft.com

Click “Threat management” in the left hand menu

Click “Policy” in the drop down

Click “ATP Safe Attachments” in the main screen menu

Click the “+” icon on top of the policy list

Give the new policy a name and description

Select your desired response to detected malware:

Off – No Scanning

Monitor – Deliver after detection and track scan results

Block – Block the current malware and future emails and attachments with the same signature

Replace – Remove the malicious attachment, and continue to deliver the message

Dynamic Delivery – Deliver the message without attachments immediately, and reattach once scan is complete.

Configure redirect.

This is simply the ability to send all detected malware to a monitoring address

Select users, groups or domains that you want the policy to apply to.

We have done many deep dives into the various tools available to defend your users from Phishing and malware. For more guidance, check out the following Tech Talks and Blogs.

AgileSecurity

If you are looking for professional guidance in securing your office 365 environment, we can help. Agile IT is a four-time Microsoft cloud partner of the year and has securely managed cloud transformation for over 1,000,000 accounts across nearly 2000 organizations. Our fixed priced services for security and managed services make budgeting easy and remove doubt. To find out more, contact us today.